On the impossibility of non-static quantum bit commitment between two parties 
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Recently, Choi et al. proposed an assumption on Mayers-Lo-Chau (MLC) no-go theorem that 
the state of the entire quantum system is invariable to both participants before the unveiling phase. 
This means that the theorem is only applicable to static quantum bit commitment (QBC). This 
paper find that the assumption is unnecessary and the MLC no-go theorem can be applied to not 
only static QBC, but also non-static one. A non-static QBC protocol proposed by Choi et al. is 
briefly reviewed and analyzed to work as a supporting example. In addition, a novel way to prove 
the impossibility of the two kinds of QBC is given. 

PACS numbers: 03.67.Dd 



6 I. INTRODUCTION 

7 Bit commitment allows a sender (Alice) to commit a 

8 bit 6 S {0,1} to a receiver (Bob) in the following way: 
9 1) Alice can not change the value of the committed bit 

after the commitment phase (binding property); 2) Bob 

1 can not obtain the value of the committed bit before the 
2 unveiling phase (concealing property). Bit commitment 

3 is an important cryptographic primitive and can be used 

4 as a building block for some other cryptographic proto- 

5 cols, such as coin flipping oblivious transfer QjZero- 

6 knowledge proof Q , and multiparty computation Q . 

7 A secure bit commitment protocol should satisfy the 

8 binding property and the concealing property at the same 

9 time. However, unconditionally secure classical bit com- 

mitment protocols do not exist. There are only some un- 

1 conditionally binding and computationally concealing bit 

2 commitment protocols Q or unconditionally concealing 

3 and computationally binding bit commitment ones Q . 

4 Since unconditionally secure quantum key distribution 

5 protocols were proposed in [J-Q , some quantum bit com- 

6 mitment (QBC) protocols have been proposed with the 

7 hop e that QBC can provide unconditional security [lol - 
8 ll2| . The most famous one is the bit commitment protocol 
9 proposed by Brassard et al. in , which was claimed 

to be unconditionally secure. Unfortunately, the protocol 

1 was showed to be insecure afterwards [l^l • Furthermore, 

2 Mayers, Lo and Chau proved that general secure QBC 

3 protocols are impossible [13, [iBl , which is called MLC 

4 no-go theorem. 

5 Although discovery of the MLC no-go theorem de- 

6 pressed much study on QBC protocols, researchers try 

7 to design secure QBC by adopting certain restrictions 

8 or weakening some security requirements. For instance, 

9 Kent proposed two bit commitment protocols based on 
special relativity theory [3, [13; Damgard et al. designed 
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I a secure QBC protocol in a bounded quantum-storage 

> model [l^ ; Hardy and Kent gave a secure cheat sensitive 
! QBC protocol ensuring that if either a committer or a 
I committee cheat, the other can detect it with a nonzero 
i probability [l^. Besides these, secure QBC protocols are 
5 implemented in a noisy-storage model under the assump- 
' tion that the dishonest party can not access large-scale 
! reliable quantum storage [20| . 

) Recently, Choi et al. proposed a secure non-static QBC 
) protocol with help of a trusted third party (TTP) [2l| 
[ and pointed out that the MLC no-go theorem is based 

> on an assumption that the whole quantum state is static 
i before Alice reveals the committed bit. That is to say, 
(the MLC no-go theorem was thought to be adapted to 
i static QBC only. D'Ariano et al. also hold this opinion 
5 and gave another strengthened and explicit proof involv- 
?ing impossibility of some non-static QBC protocols [2^ . 
! However, wc find that the assumption given by Choi et 
) al. in |2l| is unnecessary and non-static QBC is also im- 
) possible just due to the MLC no-go theorem. Although 
[ Choi et al. proposed a secure non-static QBC protocol by 

> adopting a TTP 2l| , the protocol is still different from a 
! general two-party QBC protocol and is somewhat similar 
I to a quantum secret sharing protocol. Interestingly, the 
i non-static QBC protocol without the TTP can just serve 
5 as an example to show that the MLC no-go theorem can 
J be applied to non-static QBC also. In addition, we prove 
i the impossibility of the two kinds of QBC in a different 
) way: prove any binding QBC protocols is not concealing, 
) while the related proofs proposed in [3 [l^, [2l|, show 
[ any concealing protocols are not binding. 

> The rest of this paper is organized as follows. In the 
) next section, it will be shown that the assumption of the 
I MLC no-go theorem given by Choi et al. is unnecessary 
i and the MLC no-go theorem can be adapted to both 
i static QBC and non-static QBC. The non-static QBC 
' protocol proposed by Choi et al. is reviewed and analyzed 
) in Sec. IIIII Then the impossibility of QBC is proved in 
! Sec. II VI in a different way. The last section concludes the 
) paper. 
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91 II. APPLICABILITY OF THE MLC NO-GO 

92 THEOREM TO NON-STATIC QBC 

In [3, [iBl , the MLC no-go theorem was proved in the 
following basic idea. Suppose the initial states of Alice 
and Bob arc |6)a (6 e {0, 1}) and |</')b, respectively, and 
let Uab denote all the algorithms that Alice and Bob 
may implement. Then the final quantum state shared by 
Alice and Bob is \<l>b)AB = UAB{\b)A <8) \'p)b)- If a QBC 
protocol is perfectly concealing, namely 



Pq TrAi\(f>Q)AB{(f'a\) = TrA{\(f'i)AB{(f>i\) 



then there exists a local unitary transformation Sa sat- 
isfying 



{Sa <E) I)UAB{\b)A ® W)b) = Uab{\1 - b)A ® W) 



B 



) accordin g t o Gisin-Hughston-Jozsa-Woottcrs theorem 
I given in |23l. [23| . So, by postponing measurements and 

> implementing local unitary operations, Alice can change 
i the value of the committed bit arbitrarily without be- 
' ing discovered by Bob. If the QBC protocol is supposed 
! to be unconditionally concealing, similar results can be 
) derived also. 

) However, Choi et al. observed that the local unitary 
I operation Sa performed by Alice is related to Bob's ini- 

> tial state |</j)b [21] |. If \(p)b is random and unknown to 
1 Alice, she can not find a suitable local unitary operation 
I to change the committed value. Thus, a necessary as- 
i sumption of the MLC no-go theorem is that the state of 
5 quantum system should be static to both participants. 
r This means the MLC no-go theorem was considered to 
! be applicable to static QBC only. 

) As shown above, the proof of the MLC no-go theorem 
) is based on the following strategy: a QBC protocol is 
1 first supposed unconditionally concealing and it is then 
I proved that unconditionally binding is impossible. So, 
i Theorem [T] can be obtained, which means that the as- 
i sumption of the MLC no-go theorem suggested by Choi 
i et al. is unnecessary. 



16 Theorem 1 The MLC no-go theorem is also applied to 

17 non-static QBC. 

w Proof: Assume \ip)b is random and unknown to Al- 
lice. Let Uab = 'l2ijki^i3ki\'i)A\.j)BA{k\B{l\ and \ip)B 

20 J2m Cm I'Ti) B , thcu wc havc 

21 \<l)b)AB = UAB{\b)A<^\'fi)B) 

^'^aijki\i)A\j)BA{k\B{l\ y^^c„i\b)A\m)B 

ijkl \ m / 

= y^^aijbiCi\i)A\j)B, 

ijl 



124 and 

125 pf = Tr^(|(/)b)^_B((/)f,|) 

126 = TrA I ^a,jbiCi\i)A\j)B^apqi,^c*A{p\B{q\ 

\ ijl pgr 

127 = ^aijua*gi,^cic*.\j)B{q\. 

ijlqr 

128 Suppose a non-static QBC protocol is perfectly con- 

129 cealing, then and pf should be identical for any 

130 W)b = Y.m^rn\Tn)B, 1-6. 

"1 Pf = X! a,ijoia*qQ^cicl\j)B{q\ 

ijlqr 

132 =^aijua*^-^^cicl\j)B{q\ 

ijlqr 

133 = . 

134 Since the above formula always holds for any \^)b, we 

135 have 



^ijOl^iqOr ~ '^ijH^iqlr- 

Let Sa^J2 Sxy\x)A{y\, where 



(1) 



0, 



if X 7^ 



Soox = 0, if axqir = for any q and r, 
Sxx = -T^, otherwise. 



Equation ([1} makes Sa always satisfy 
{Sa ® Ib)\<Po)ab = ( ''^^y\^)A{y\ ® 

xy k 
y^^aijQiCi\i)A\j)B 

ijl 

140 = QtjOiQ Sxi\x)A\.j)B 

ijl X 

i« = aijiiCi\i)A\j)B 

ijl 

i« = \4'i)ab, 

143 for any \(p)b- Thus the non-static QBC protocol is not 

144 binding. If assume it is unconditionally concealing, sim- 

145 ilar results can be obtained also. ■ 



146 HI. REVIEW AND ANALYSIS OF CHOI ET 

147 ^i.'S NON-STATIC QBC PROTOCOL 

148 In pH , Choi et al. proposed an unconditionally secure 

149 non-static QBC protocol with aid of a TTP. We briefly 

150 reviewed it in the following four phases and then show its 

151 simplified version can serve as an example demonstrating 

152 the MLC no-go theorem is applicable to non-static QBC. 



3 



a. Preparing phase : First, Alice and TTP share 
A'^ maximally entangled states in the form \iP^)at = 
■l^^i^^i^. This kind of entangled state has a special 
property, namely equation 



\^-)AT = {u<E>u)\r 



)AT 



holds up to the global phase for any unitary transforma- 
tion U. Then, TTP applies random projection measure- 
ments represented as 

M = {i/.)T(/.u/^>Ta^i} 

153 to its qubit of each entangled state |V' )at for i ~ 1 ^ N . 

154 If the measurement outcome of TTP is then 

155 Alice's measurement result should be \ipi)A = (!/«)) ■ 

156 But TTP does not announce Mi now, so Alice can not 

157 know the result \ilJi)A- 

158 b. Commitment phase : To committee the bit 

159 6, Alice applies the corresponding operations Pi e 

160 {M, N,J,K}, where 



the above non-static QBC protocol do not correspond to 
the fact that only two parties is involved in a general 
QBC protocol, although TTP plays a little role in offer- 
ing quantum sources and is not involved in communica- 
tion between two parties directly. In a way, the protocol 
is more like a quantum secret sharing protocol. For in- 
stance, the cooperation between Bob and TTP can get 
Aice's committed value while one of them cannot. If the 
actions implemented by TTP are replaced by Bob, the 
protocol will not be secure. As shown by Choi et al. in 
[2l| . if the non-static QBC protocol without a TTP is 
perfectly concealing, a local unitary operator 



Sa 



a b 
c d 



M 



1 
1 



,N = 



-1 




If Alice chooses to commit 6 = 0, she randomly sends 
M\'il)i)A or 7V|i/)i)^ to Bob. Otherwise, she sends 
or K\'ipi) A instead with the same probability. To guaran- 
tee the randomness, Alice introduces an auxiliary system 
A' whose initial state is \+)a' = Mal+^1al_ xhen the 
state of the whole system A' A is |-|-) j-i/ji). If 6 = 0, Alice 
applies |0)a'(0| ®M+ ® N io A' A to obtain 



\Vo)a'a 



\Q)A'®M\i^,)A 



ID 



177 such that J = aM + bN and K = cM + dN , can be 

178 used to freely change the committed bit. Thus it can be 

179 seen that Choi et aVs non-static QBC protocol without 

180 a TTP can serve as a specific example to demonstrate 

181 that the MLC no-go theorem is applicable to non-static 

182 QBC also. 



IV. PROOF OF IMPOSSIBILITY OF QBC BY 
ANOTHER WAY 



185 Although non-static QBC between two participants is 

186 also impossible due to the MLC no-go theorem, it pro- 

187 vides us another way to prove the impossibility of both 

188 non-static and static QBC. 

189 Let us show the case on non-static QBC first. Premise 

190 of the proof of the MLC no-go theorem is that the QBC 

191 protocol is supposed to be perfectly concealing. 



V2 



f^(pf,pf) = l. 



(2) 



Otherwise, she implements |0)a' 
A' A and gets 



) J-f |1)a/(1| (gjivT on or unconditionally concealing. 



A' A 



\Q)A'®J\'>Pi)A + \l)A'<S>K\i),), 

^/2 



163 Due to the randomness of IV'ilA; the resulting state 

164 \ ipb)A'A is also different, thus Alice cannot control the 

165 relationship between \^po)a'A and \^i)a'A without know- 

166 ing the exact state 

167 c. Sustaining phase : In this phase, both Alice and 

168 Bob do nothing. 

169 d. Revealing phase : Alice unveils all P^'s, and then 

170 TTP opens all M^'s and the corresponding measurement 

171 outcomes. After knowing all the information. Bob mea- 
172 sures PjPi\il)i) with Mi and compares all the measure- 

173 ment results with those TTP announced. If all the mea- 

174 surement outcomes are opposite, Alice is honest and the 

175 committed value has not been changed; otherwise Alice 

176 is dishonest. 

In [2l|, Choi et al. claimed that the protocol is un- 
conditionally secure. However, the usage of TTP makes 



F(po^,pf) = l-<5, 

193 where 5 > 0. 

194 For non-static QBC protocols, different initial states 

195 \tf)B may lead to different p^, so the value of F{pQ,pf) 

196 may vary and it is difficult to make the concealing prop- 

197 erty be satisfied. On the other hand, since \yy)B is totally 

198 random and unknown to Alice, it is difficult for Alice to 

199 find an appropriate local unitary operator Sa such that 

FUSa ® I)UABmA ® |^>b), Uab{\1 -b)® \^)b)) = 1 

200 ( 3) 

or 

F{{SA®I)UAB{\b)A®\ip)B),UABi\l~b)®\ip)B))^l-6 

201 is satisfied for all \f)B- 

202 Thus, it is better to suppose a non-static QBC protocol 

203 is perfectly or unconditionally binding and then prove it 

204 cannot be perfectly or unconditionally concealing. 
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Assume a non-static QBC protocol is perfectly binding, 
i.e., there does not exist a local unitary operator Sa such 
that Eq. ([3]) holds for any \(p)b- Then there must be 
some \^p)b such that 

= TrAilMABiM) ^ TrA{\<i>l)AB{<l>l\) = pf- 

205 Otherwise, the assumption violates the MLC no-go theo- 

206 rem. In other words, if Eq. ([2]) holds for any Alice 

207 can find a local unitary operation Sa to freely change 

208 the committed bit according to the MLC no-go theorem. 

209 Thus Bob can choose such \^p)b to get some information 

210 of Alice's committed bit and the non-static QBC is not 

211 perfectly concealing. If a non-static QBC protocol is as- 

212 sumed to be unconditionally binding, similar conclusions 

213 can be made. 

This new approach also can be used to prove impossi- 
bility of static QBC. Given a fixed \^)bi if a static QBC 
protocol is supposed to be perfectly binding, then there 
is no local unitary operator Sa satisfying Eq. (jS]). Ac- 
cording to the Uhlmann's theorem in |25|, we can find 
|(/)), a purification of p^, such that 

where \(^\) = C^ab(|1)a ® is a purification of 

pf . Between two purifications of p^, |^) and |(/)o) = 
C^ab(|0)a ® \^)b), there always exist a local unitary op- 
erator 5*^ such that {Sa ® ^)|</'o) = Besides, from 
the assumption, we know that there does not exist a local 
unitary operator Sa such that (5'a(8i/)|0o) = Thus 
|0) cannot be equal to and 

F{p^^p^^)^\mi)\^^. 

214 which means the static QBC protocol is not perfectly 

215 concealing. If assume a static QBC protocol is uncondi- 



216 tionally binding, we can prove it is not unconditionally 

217 concealing employing the similar method. 



218 V. CONCLUSION 

219 In this paper, we show the assumption given by Choi 

220 et al. on the MLC no-go theorem in [2j| , that the en- 

221 tire quantum state should be static to both participants 

222 before the unveiling phase, is unnecessary, and the MLC 

223 no-go theorem can be applied to both static QBC and 

224 non-static QBC. In addition, a secure non-static QBC 

225 protocol proposed by Choi et al. in [2l| is found more 

226 like to a quantum secret sharing protocol, instead of a 

227 general two-party QBC protocol. Just inspired by the 

228 non-static QBC, we prove the impossibility of QBC in 

229 another way; suppose a QBC protocol is binding first, 

230 then show it is not concealing. Now, we can say that 

231 the MLC no-go theorem lets any two-party QBC pro- 

232 tocol satisfying concealing property is not binding and 

233 the novel proof for the impossibility of QBC given by 

234 us makes any two-party QBC protocol satisfying binding 

235 property is not concealing. In all, any two-party QBC 

236 protocol, no matter static or non-static, is not secure. 
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